You might assume that the criminal hackers who compromise websites, plant trojans, and deploy powerful botnet armies pay a bit more attention to security than we do. You’d be wrong, according to security vendor Avast. Apparently they’re just as guilty of using crappy passwords as the general public.
Avast’s Antonin Hyza spends his working week analyzing malware, and he’s been amassing a collection of passwords as part of his duties. He’s checked out around 40,000 so far, and determined that password security often isn’t a top concern.
For example, the average length of a password in Hyza’s database? It’s just six characters, not even close to enough to effectively thwart a brute force attack using modern hardware. Howsecureismypassword figures that passwords this short only take a few seconds to crack, even if they’re a mix of letters, numbers, and symbols. Out of the 1,601 passwords Hyza extracted, only 52 of them were longer than 12 characters — considered by many experts to be the minimum length for a strong password in 2014.
Beyond being far too short, a lot of the passwords (nearly 10%) are based on words found in a dictionary. Leaving yourself vulnerable to a dictionary attack in 2014 is facepalm-worthy stuff, especially when security pros have been yelling at us for years to at least change things up. Most criminals, however, aren’t even bothering to throw in a symbol to make things trickier. They’re content to use things like hack, password, and, of course, the f-bomb, and most don’t even mix upper and lower case.
Some hackers do make at least a half-hearted attempt. They figure that a quick translation to leetspeek will do the trick, but it’s not 1995 any more and Acid Burn is not the most awesome hacker on the planet. Today’s password-cracking engines know these tricks inside and out, and they can swap 4 for a and 1 for l without missing a beat. Microsoft’s neat little password tool can show you just how easy it is for a machine to guess these switches nowadays.
Many are even guilty of one of the cardinal sins of security: not bothering to change default credentials. That makes it easier for researchers like Hyza to undo their criminal machinations. Talk about lazy.
Ultimately, if Hyza’s looking to crack a password on a piece of malware, he’s comfortable playing the odds and using lower case English words, a number or two, and no more than six characters. This is one situation where it’s fine to encourage folks to continues using weak passwords.